The CA (not Certbot) sends email notifications for certificates that are approaching expiry, have not been renewed, and are attached to ACME accounts with email addresses.
The email looks like this:
Hello,
Your certificate (or certificates) for the names listed below will expire in 20 days (on 21 Oct 18 09:21 +0000). Please make sure to renew your certificate before then, or visitors to your website will encounter errors.
We recommend renewing certificates automatically when they have a third of their
total lifetime left. For Let's Encrypt's current 90-day certificates, that means
renewing 30 days before expiration. See
https://letsencrypt.org/docs/integration-guide/ for details.
example.org
For any questions or support, please visit https://community.letsencrypt.org/. Unfortunately, we can't provide support by email.
If you are receiving this email in error, unsubscribe at http://mandrillapp.com/track/unsub.php?u=...
Regards,
The Let's Encrypt Team
Since it is not sent by Certbot, there's not really any way for you to test it.
But, you should not rely on this email anyway. It cannot determine whether your renewed certificate was actually properly deployed or not.
As such, you should instead rely on website monitoring (like Uptime Robot or Pingdom) to actually monitor your web endpoints. They can email you if the actually deployed certificate approaches expiry.
Edit: FWIW, I agree that tracking Certbot's exit code is the best option, and then just scoop up the latest /var/log/letsencrypt/letsencrypt.log
.
Certbot is not a programmable ACME client, it is largely an interactive one. It is possible to build up support tools around it to mechanize it, but it doesn't mean it's a good idea. There are programmable high-level ACME clients that are better suited for the job.